Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for authenticating a subscriber of a first network to access an application service through a second network, wherein the second network is a packet data network and the access to the application services is in the form of access-request messages enclosed in a data packet, said data packet comprising an address in said second network allocated to a subscriber's address and said access-request message expressed with a syntax that complies with an application-level protocol, comprising the steps of: a) intercepting an access-request message to the second network; b) recognising the application-level protocol; c) providing a mapping between the subscriber's address and a first subscriber's identifier in the first network; d) generating a first authentication token including a second subscriber's identifier; e) associating the first authentication token to the access-request message; and f) transmitting the access-request message with said first associated authentication token to the second network.
2. The method of claim 1 , wherein the second network is an internet protocol network and the subscriber's address is the internet-protocol address.
3. The method of claim 1 , wherein the first network is a mobile network.
4. The method of claim 3 , wherein the mobile network is a packet-switched cellular network.
5. The method of claim 4 , wherein the packet-switched cellular network is a general packet radio service network.
6. The method of claim 4 , wherein the packet-switched cellular network is an enhanced data rate for global system for mobile communications evolution network or a universal mobile telecommunications service network.
7. The method of claim 4 , wherein the first and the second subscriber's identifiers are different from one another.
8. The method of claim 7 , wherein the first network is a global system for mobile communications network and the first subscriber's identifier is a subscriber identity module-based identity.
9. The method of claim 8 , wherein the subscriber identity module-based identity is the international mobile subscriber identity associated with the subscriber in the global system for mobile communications network.
10. The method of claim 7 , wherein the second subscriber's identifier is a pseudonym associated with the first subscriber's identifier.
11. The method of claim 1 , wherein step e) comprises including the first authentication token in the access-request message.
12. The method of claim 1 , further comprising after step d), the step of encrypting the first authentication token with a digital signature.
13. The method of claim 1 , wherein said first authentication token is expressed with a syntax that complies with the application-level protocol of the access-request message.
14. The method of claim 1 , wherein the application level protocol is selected from the group of session initiation protocol, hypertext transfer protocol, and simple object access protocol over hypertext transfer protocol.
15. The method of claim 1 , wherein the application-level protocol is session initiation protocol or hypertext transfer protocol and said first authentication token is specified according to the security assertion markup language standard.
16. The method of claim 1 , wherein the first network is a fixed access network.
17. The method of claim 16 , wherein the fixed access network uses digital subscriber line access technology.
18. The method of claim 16 , wherein the first subscriber's identifier is a logon ID.
19. The method of claim 1 , further comprising after step f), the steps of: g) receiving at the application service through said second network said access-request with said associated first authentication token; h) generating a first response message to said received access-request message; i) generating a second authentication token and including said second authentication token into said first response message; j) intercepting said first response message including said second authentication token; k) extracting said second authentication token from said first response message; and l) verifying said second authentication token and, if the verification is positive, transmitting a second response message to the first network.
20. The method of claim 19 , further comprising after step g), the step of verifying said first authentication token.
21. A method for authenticating a subscriber of a plurality of first networks to access an application service, wherein authentication of the subscriber from each first network is carried out by the method of claim 1 .
22. The method of claim 1 , further comprising the step of providing a mapping between the first authentication token and the requested application service.
23. The method of claim 22 , wherein the mapping between the first authentication token and the requested application service comprises extracting the universal resource identifier of the requested service from the access-request message.
24. The method of claim 22 , wherein the second subscriber's identifier is a pseudonym associated with the first subscriber's identifier and with the requested application service.
25. A system for authenticating a subscriber of a first network to access application services through a second network, wherein the second network is a packet data network, comprising: a subscriber station coupled to the first network and capable of generating access-request messages enclosed in data packets, said access-request messages being expressed with a syntax that complies with an application-level protocol; an allocation server capable of allocating an address in said second network to a subscriber's address and to provide a mapping between the subscriber's address and a first subscriber's identifier in the first network; a gateway capable of performing the following functions: to receive the access-request messages from the subscriber station, to interface the first network to the second network, and to assign the subscriber's address to the subscriber station; a first logical entity linked with the gateway and capable of intercepting the data packets generated from the subscriber station and directed to the second network through the gateway and to capture in the data packet at least the subscriber's address; and a second logical entity linked with the first logical entity and capable of performing the following functions: to receive the subscriber's address and the access-request message from the first logical entity, to recognize the application-level protocol of the access-request message, to request the first subscriber's identifier to the allocation server, and to generate a first authentication token according to the application-level protocol, said token including a second subscriber's identifier, wherein the first logical entity or the second logical entity is capable of associating said first authentication token with the access-request message.
26. The system of claim 25 , wherein the allocation server and the gateway are in the first network.
27. The system of claim 25 , wherein the first logical entity and the second logical entity are in the first network.
28. The system of claim 25 , wherein the first network is a mobile network and the subscriber station is a mobile station coupled to the first network via a wireless link.
29. The system of claim 28 , wherein the first network is a packet-switched cellular network.
30. The system of claim 28 , wherein the gateway is a gateway general packet radio service network support note.
31. The system of claim 25 , wherein the allocation server is an authentication-authorization-accounting server.
32. The system of claim 25 , wherein the second network is an internet protocol network.
33. The system of claim 25 , further comprising a certifying logical entity logically linked to the second logical entity and capable of encrypting the first authentication token.
34. The system of claim 25 , wherein the first logical entity is an application-level firewall.
35. The system of claim 25 , wherein the first network is a fixed access network and the subscriber station is a customer premises equipment coupled to the first network via a wired link.
36. The system of claim 35 , wherein the first subscriber's identifier is a logon ID.
37. The system of claim 25 , wherein said first logical entity is also capable of intercepting response messages transmitted through the second network and directed to said subscriber station through the gateway.
38. The system of claim 37 , wherein said response messages include a second authentication token.
Unknown
May 31, 2011
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.